As you may know many Windows 2003 and Windows 2000 servers are being owned by bots or manually, specially those .mil and .gov.
In almost of the cases, they are exploiting MS Windows Server Service Code Execution Exploit (MS08-067).

In this article I’ll not explain how to do that but I’ll cover some points to show how easy is to get access to a remote windows server using this vulnerability.

First of all we only need 3 things:

• nmap (do I need to say something about nmap?)
• nmap smb-check-vulns.nse script (nmap script that checks for MS08-067 vulnerability, Conficker and DoS vulnerability on Windows 2000)
• MS08-067 Exploit by Debasis Mohanty (they are many variants of this exploit)

We start by scanning our network (test on your network not on machines that you are not the right owner) by using nmap with the script I described before and also scanning for open port 445 (microsoft-ds).

If you get this:

Host script results:
|_ smb-check-vulns: This host is vulnerable to MS08-067

Seems that you found some possible exploitable server. After that you only have to run the exploit.

[-]Windows 2003[SP2] payload loaded
[-]Initiating connection
[-]connected to ncacn_np:xxx.xxx.xxx.xxx
[-]Exploit sent to target successfully…
[1]Telnet to port 4444 on target machine…

If all wents well, after connecting to port 4444 of the vulnerable machine you’ll get something like this:

trying xxx.xxx.xxx.xxx…
Connected to xxx.xxx.xxx.xxx.
Escape character is ‘^]’.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOW\system32>

This type of attack is already present in rxBot and others. As you may noticed this is very simple to a malicious user to use it to spread worms, DoS, defacements, etc.

You can read more about this flaw at Microsoft Security Bulletin.